Upgrading to Release 9.1
This section describes how to upgrade your Gateway to Release 9.1. These instructions apply to:
gateway91
This section describes how to upgrade your Gateway to Release 9.1. These instructions apply to:
- Hardware appliances
- Virtual appliances
- Software Gateways
Support for the Thales nShield Solo HSM is reinstated in v9.1, but existing users of the HSM must first upgrade the firmware as described below.
Overview of the steps:
Background
The
CA API Gateway
is designed around two major components: Platform and Application.- ThePlatformconsists of the server that runs the API Gateway appliance and the dependency applications and tools that are located on it. This includes (but not limited to) the Linux kernel, OpenSSL, and MySQL.
- TheApplicationis the Java component of the API Gateway. It comprises the Oracle Java JDK and the Java programs that comprise the API Management suite.
These two components are designed to be updated separately, allowing systems administrators to upgrade the Platform without upgrading the Application. This ensures that the
CA API Gateway
remains compliant with security protocols and is protected against common threats. A CA API Gateway
upgrade involves upgrading both the Platform and Application.Step 1: Upgrade Thales HSM Firmware (if required)
If you do not use the Thales HSM, click here to jump to Step 2.
IMPORTANT:
(1) Follow the directions carefully, as an incorrect firmware upgrade may render your HSM inoperable. Once an upgrade is performed, it is not possible to return to the previous version of the firmware. (2) You will need to rebuild the security world after upgrading the firmware. Consult the nShield User Guide for instructions.Support for the Thales nShield Solo+ (formerly "nCipher") HSM has been restored in version 9.1. If your site incorporates the nShield Solo, you need to upgrade the firmware to make it compatible with the drivers in 9.1.
Contact Thales for the firmware upgrade files; these files are not provided by CA Technologies. Consult the
Thales nShield Solo User Guide
for complete instructions on upgrading the firmware. Instead of running the
nfloadmon
command as described in the Thales nShield Solo User Guide
, you must prepend the command with a temporarily updated PATH environment variable. For example:PATH="/opt/nfast/bin/:$PATH" /opt/nfast/bin/nfloadmon -m1 --automode
<firmware-upgrade-folder>
/2-60-1/ldb_ncx3p-26.nff /opt/ncipher-firmware-upgrade/2-61-2/ncx3p-26.nffWhere
"<firmware-upgrade-folder>"
is the directory containing the firmware upgrade files (for example, "/opt/ncipher-firmware-upgrade").The following is a summary of the firmware upgrade procedure:
- Uploadncx3p-26.nffto this directory on the Gateway:/opt/ncipher-firmware-upgrade/2-61-2Uploadldb_ncx3p-26.nffto this directory:/opt/ncipher-firmware-upgrade/2-60-1
- Log in to the Gateway as eitherrootor as a user in the group 'nfast'.
- Put the module into Pre-Maintenance mode and then reset the module. See "How to Change Modes" below for more details.
- Run theenquirycommand to check that the module is in the Pre-Maintenance state:# /opt/nfast/bin/enquiryThe HSM enters into maintenance mode when it receives a maintenance command (for example, running "loadrom" from the command line utility.
- Run the following command to load the new firmware and monitor:# PATH="/opt/nfast/bin/:$PATH" /opt/nfast/bin/nfloadmon -m1 --automode /opt/ncipher-firmware-upgrade/2-60-1/ldb_ncx3p-26.nff /opt/ncipher-firmware-upgrade/2-61-2/ncx3p-26.nff
- If prompted, switch the card to Pre-Initialization mode and then reset the module. See "How to Change Modes" below for more details.
- Run theenquirycommand again (see step 4) to check that the module is in the Pre-Initialization state.
- Run the following command to initialize the module:# /opt/nfast/bin/initunit
- (Optional) To confirm that the monitor upgraded successfully, put the module into Maintenance mode and then reset the module. See "How to Change Modes" below for more details. Now if you run theenquirycommand (see step 4), you should see that the monitor version has been upgraded to 3.21.3.
- Put the module into Operational mode and then reset the module. See "How to Change Modes" below for more details.
- Run theenquirycommand again (see step 4) to verify that the module is in the Operational state and has the correct firmware version.
How to Change Modes
There are two ways to change modes:
- Physical mode switch:This involves manually moving the switch on the nShield Solo card on the back of the Gateway appliance.
- Move the switch to the desired mode (I, O, or M)
- Reset the module by doing one of the following:
- Press the recessed reset button on the card, or
- Run the command:# /opt/nfast/bin/nopclearfail --clear --all
- Remote mode switch:This involves remotely changing the mode of the nShield Solo card from a computer using thenoclearfailcommand. Note the following:
- This is only available on nShield Solo running firmware version 2.61.2.
- Physical mode switch on the card must be in the "O" position.
- Physical mode override jumper on the card is set to "on", while the remote mode override jumper on the card is NOT set to "on".
- Change the mode using the command:# /opt/nfast/bin/nopclearfail --[maintenance|operational|initialization]
Step 2: Download the Update Files
The tables below list the file(s) you need to update to Release 9.1. Note that the older the source version, the more update files required.
The update files are contained in the distribution archive files for the release. See "Distribution Archives for 9.1" in Release Notes 9.1 to look up which archive file to download.
For information on how to download the archive files from the CA Support site, see "Obtain the Patch Files" in Patch an Appliance Gateway or Patch a Software Gateway.
Platform Updates
Platform updates are required for Hardware Appliances and Virtual Appliances. They are not required for Software Gateways. (The expectation is that the host machine on which the Gateway is installed is updated according to best practices.)
: Prior to upgrading Gateway, you will need to install the kernel patch, CA_API_PlatformUpdate_64bit_vKernel-2018-10-05.L7P. The patch installation is a one-time requirement for each Gateway upgrade attempt. An upgrade attempt consists of the installation of one or more platform upgrade patches and ends with the installation of a single Gateway upgrade patch.
Install all platform updates in the order listed. Omitting an update may result in unexpected errors in the Gateway.
Upgrading from... | Updates required... | From this image... |
9.0.0 | Layer7_PlatformUpdate_64bit_v9.1.00.L7P | GEN06140236E.zip |
8.4.02 | Layer7_PlatformUpdate_64bit_v9.1.00.L7P | GEN06140236E.zip |
8.4.01 | Layer7_PlatformUpdate_64bit_v9.1.00.L7P | GEN06140236E.zip |
8.4.00 | Layer7_PlatformUpdate_64bit_v9.0.00.L7P Layer7_PlatformUpdate_64bit_v9.1.00.L7P | DVD11144421E.zip GEN06140236E.zip |
8.3.01 | Layer7_PlatformUpdate_64bit_v8.4.01.L7P Layer7_PlatformUpdate_64bit_v9.1.00.L7P | DVD02111831E.ISO GEN06140236E.zip |
8.3.00 | Layer7_PlatformUpdate_64bit_v8.4.00.L7P Layer7_PlatformUpdate_64bit_v9.0.00.L7P Layer7_PlatformUpdate_64bit_v9.1.00.L7P | DVD06165653E.ISO DVD11144421E.zip GEN06140236E.zip |
8.2.00 | Layer7_PlatformUpdate_64bit_v8.3.00.L7P Layer7_PlatformUpdate_64bit_v8.4.00.L7P Layer7_PlatformUpdate_64bit_v9.0.00.L7P Layer7_PlatformUpdate_64bit_v9.1.00.L7P | DVD02121541E.ISO DVD06165653E.ISO DVD11144421E.zip GEN06140236E.zip |
8.1.0 | Layer7_PlatformUpdate_64bit_v8.2.00.L7P Layer7_PlatformUpdate_64bit_v8.3.00.L7P Layer7_PlatformUpdate_64bit_v8.4.00.L7P Layer7_PlatformUpdate_64bit_v9.0.00.L7P Layer7_PlatformUpdate_64bit_v9.1.00.L7P | DVD09131550E.ISO DVD02121541E.ISO DVD06165653E.ISO DVD11144421E.zip GEN06140236E.zip |
8.0.0 | Layer7_UpdateTrustStore.L7P Layer7_PlatformUpdate_64bit_v8.1.0.L7P Layer7_PlatformUpdate_64bit_v8.2.00.L7P Layer7_PlatformUpdate_64bit_v8.3.00.L7P Layer7_PlatformUpdate_64bit_v8.4.00.L7P Layer7_PlatformUpdate_64bit_v9.0.00.L7P Layer7_PlatformUpdate_64bit_v9.1.00.L7P | DVD01155803E.iso DVD01155803E.iso DVD09131550E.ISO DVD02121541E.ISO DVD06165653E.ISO DVD11144421E.zip GEN06140236E.zip |
Application Update for Appliance
The following update file is used for all Appliance Gateways (hardware or virtual):
Layer7_v9.1.00.L7P
This file is located in the
GEN06140236E.zip
archive and must be installed last.Application Update for Software (RHEL/Solaris)
The following update file is used for all Software Gateways:
Layer7_v9.1.00.L7P
(RHEL)L7TECHssg-9.1.00-6342.pkg
(Solaris)This file is located in the
GEN06135643E.zip
archive.CA Single Sign-On Users, note the following:
- If the CA Single Sign-On SDK v12.51 already exists on the Gateway, applying the patch updates the SDK to v12.52 (for both Software and Appliance Gateways).
- Applying the L7P patch to a Software gateway that has no CA Single Sign-On SDK installed doesnotinstall the v12.52 SDK. If you need this SDK, see Install the CA Single Sign-On SDK for Software Gateways to install it manually.
Step 3: Install the Update Files
Select the upgrade instructions for your Gateway form factor:
- Upgrading an Appliance or Virtual Gateway:Follow the instructions under Upgrade an Appliance Gateway.
- Upgrading a Software Gateway:Follow the instructions under Upgrade a Software Gateway for the appropriate operating system.